feat: add elastic endpoint rule (#8)

FourCoreLabs · Dec 9, 2021 · d2ee597 · d2ee597
1 parent 6d8f554
commit d2ee597
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 9 deletions.
diff --git a/pkg/edrRecon/edrdata.go b/pkg/edrRecon/edrdata.go
@@ -284,6 +284,11 @@ var EdrList = []string{
 	"threat",
 	"xagt.exe",
 	"xagtnotif.exe",
+	"Elastic Agent",
+	"elastic-agent.exe",
+	"elastic-endpoint.exe",
+	"elastic-endpoint-driver",
+	"ElasticEndpoint",
 }
 
 var ReconList = []string{
@@ -300,6 +305,7 @@ var ReconList = []string{
 	"SystemProductName",
 	"LocalAccountTokenFilterPolicy",
 	"LsaCfgFlags",
+	"elastic",
 }
 
 var McafeeList = []string{

diff --git a/pkg/resources/scan_edr.go b/pkg/resources/scan_edr.go
@@ -9,13 +9,14 @@ type EDRDetection interface {
 type EDRType string
 
 var (
-	WinDefenderEDR EDRType = "defender"
-	KaskperskyEDR  EDRType = "kaspersky"
-	CrowdstrikeEDR EDRType = "crowdstrike"
-	McafeeEDR      EDRType = "mcafee"
-	SymantecEDR    EDRType = "symantec"
-	CylanceEDR     EDRType = "cylance"
-	CarbonBlackEDR EDRType = "carbon_black"
-	SentinelOneEDR EDRType = "sentinel_one"
-	FireEyeEDR     EDRType = "fireeye"
+	WinDefenderEDR  EDRType = "defender"
+	KaskperskyEDR   EDRType = "kaspersky"
+	CrowdstrikeEDR  EDRType = "crowdstrike"
+	McafeeEDR       EDRType = "mcafee"
+	SymantecEDR     EDRType = "symantec"
+	CylanceEDR      EDRType = "cylance"
+	CarbonBlackEDR  EDRType = "carbon_black"
+	SentinelOneEDR  EDRType = "sentinel_one"
+	FireEyeEDR      EDRType = "fireeye"
+	ElasticAgentEDR EDRType = "elastic_agent"
 )
diff --git a/pkg/scanners/scan_elastic.go b/pkg/scanners/scan_elastic.go
@@ -0,0 +1,31 @@
+package scanners
+
+import "github.com/FourCoreLabs/EDRHunt/pkg/resources"
+
+type ElasticAgentDetection struct{}
+
+func (w *ElasticAgentDetection) Name() string {
+	return "Elastic Endpoint Security"
+}
+
+func (w *ElasticAgentDetection) Type() resources.EDRType {
+	return resources.ElasticAgentEDR
+}
+
+var ElasticAgentHeuristic = []string{
+	"Elastic Endpoint Security",
+	"Elastic Agent",
+	"elastic-agent.exe",
+	"elastic-endpoint.exe",
+	"elastic-endpoint-driver",
+	"ElasticEndpoint",
+}
+
+func (w *ElasticAgentDetection) Detect(data resources.SystemData) (resources.EDRType, bool) {
+	_, ok := data.CountMatchesAll(ElasticAgentHeuristic)
+	if !ok {
+		return "", false
+	}
+
+	return resources.ElasticAgentEDR, true
+}
diff --git a/pkg/scanners/scanner.go b/pkg/scanners/scanner.go
@@ -13,5 +13,6 @@ var (
 		&SymantecDetection{},
 		&SentinelOneDetection{},
 		&WinDefenderDetection{},
+		&ElasticAgentDetection{},
 	}
 )